mirror of
https://github.com/owncast/owncast.git
synced 2024-11-29 11:39:08 +03:00
b835de2dc4
* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
103 lines
3 KiB
Go
103 lines
3 KiB
Go
package indieauth
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
|
|
"github.com/owncast/owncast/auth"
|
|
ia "github.com/owncast/owncast/auth/indieauth"
|
|
"github.com/owncast/owncast/controllers"
|
|
"github.com/owncast/owncast/core/chat"
|
|
"github.com/owncast/owncast/core/user"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// StartAuthFlow will begin the IndieAuth flow for the current user.
|
|
func StartAuthFlow(u user.User, w http.ResponseWriter, r *http.Request) {
|
|
type request struct {
|
|
AuthHost string `json:"authHost"`
|
|
}
|
|
|
|
type response struct {
|
|
Redirect string `json:"redirect"`
|
|
}
|
|
|
|
var authRequest request
|
|
p, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
controllers.WriteSimpleResponse(w, false, err.Error())
|
|
return
|
|
}
|
|
|
|
if err := json.Unmarshal(p, &authRequest); err != nil {
|
|
controllers.WriteSimpleResponse(w, false, err.Error())
|
|
return
|
|
}
|
|
|
|
accessToken := r.URL.Query().Get("accessToken")
|
|
|
|
redirectURL, err := ia.StartAuthFlow(authRequest.AuthHost, u.ID, accessToken, u.DisplayName)
|
|
if err != nil {
|
|
controllers.WriteSimpleResponse(w, false, err.Error())
|
|
return
|
|
}
|
|
|
|
redirectResponse := response{
|
|
Redirect: redirectURL.String(),
|
|
}
|
|
controllers.WriteResponse(w, redirectResponse)
|
|
}
|
|
|
|
// HandleRedirect will handle the redirect from an IndieAuth server to
|
|
// continue the auth flow.
|
|
func HandleRedirect(w http.ResponseWriter, r *http.Request) {
|
|
state := r.URL.Query().Get("state")
|
|
code := r.URL.Query().Get("code")
|
|
request, response, err := ia.HandleCallbackCode(code, state)
|
|
if err != nil {
|
|
log.Debugln(err)
|
|
msg := fmt.Sprintf("Unable to complete authentication. <a href=\"/\">Go back.</a><hr/> %s", err.Error())
|
|
_ = controllers.WriteString(w, msg, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Check if a user with this auth already exists, if so, log them in.
|
|
if u := auth.GetUserByAuth(response.Me, auth.IndieAuth); u != nil {
|
|
// Handle existing auth.
|
|
log.Debugln("user with provided indieauth already exists, logging them in")
|
|
|
|
// Update the current user's access token to point to the existing user id.
|
|
accessToken := request.CurrentAccessToken
|
|
userID := u.ID
|
|
if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {
|
|
controllers.WriteSimpleResponse(w, false, err.Error())
|
|
return
|
|
}
|
|
|
|
loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", request.DisplayName, u.DisplayName)
|
|
if err := chat.SendSystemAction(loginMessage, true); err != nil {
|
|
log.Errorln(err)
|
|
}
|
|
|
|
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
|
|
|
|
return
|
|
}
|
|
|
|
// Otherwise, save this as new auth.
|
|
log.Debug("indieauth token does not already exist, saving it as a new one for the current user")
|
|
if err := auth.AddAuth(request.UserID, response.Me, auth.IndieAuth); err != nil {
|
|
controllers.WriteSimpleResponse(w, false, err.Error())
|
|
return
|
|
}
|
|
|
|
// Update the current user's authenticated flag so we can show it in
|
|
// the chat UI.
|
|
if err := user.SetUserAsAuthenticated(request.UserID); err != nil {
|
|
log.Errorln(err)
|
|
}
|
|
|
|
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
|
|
}
|